A hacker has gained access and exfiltrated data from a federal agency, the Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday.

The name of the hacked federal agency, the date of the intrusion, or any details about the intruder, such as an industry codename or state affiliation, were not disclosed.

CISA officials revealed the hack after publishing an in-depth incident response (IR) report detailing the intruder’s every step.

The report, which ZDNet analyzed today, reveals how the intruder gained access to the federal agency’s internal networks through different channels, such as leveraging compromised credentials for Microsoft Office 365 (O365) accounts, domain administrator accounts, and credentials for the agency’s Pulse Secure VPN server.

CISA said the attacker logged into Office 365 accounts to view and download help desk email attachments with “Intranet access” and “VPN passwords” in the subject line. Attackers searched for these files despite already having privileged access to the agency’s network, and most likely in an attempt to find additional parts of the network they could attack.

The attacker also accessed the local Active Directory, where they modified settings and studied the structure of the agency’s internal network.

To have a quick way back into the federal agency’s network, the hackers installed an SSH tunnel and reverse SOCKS proxy, custom malware, and connected a hard drive they controlled to the agency’s network as a locally mounted remote share.

“The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” CISA analysts said.

Furthermore, the attacker also created their own local account on the network. By analyzing forensic evidence, CISA said the hacker used this account to browse the local network, run PowerShell commands, and gather important files into ZIP archives. CISA said that it couldn’t confirm if the attacker exfiltrated the ZIP archives, but this is what most likely happened in the end.

In addition, CISA said the malware the hackers installed on the federal agency’s network “was able to overcome the agency’s anti-malware protection, and inetinfo.exe [the malware] escaped quarantine.”

Nonetheless, investigators said they detected the intrusion via EINSTEIN, CISA’s intrusion detection system that monitors federal civilian networks from a vantage point and was able to compensate for the attacker bypassing local anti-malware solutions.

The information contained in this website is for general information purposes only. The information is gathered from ZDNET, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.